Electronic health record databases proving to be some of the most lucrative stolen data sets in cybercrime underground.

Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats, who increasingly see EHR-related documents as some of the hottest commodities peddled in the criminal underground. A new report today shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.

The data comes by way of a report from Trend Micro’s TrendLabs Forward-Looking Threat Research (FTR) Team, which took a comprehensive look at how attackers are taking advantage of healthcare organizations’ weaknesses to devastating effect. Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys.

“Monetizing raw data such as PII is nothing new in the underground. What makes EHR in the underground so different is that some of the data can be used to create a whole new list of offerings,” says Mayra Rosario Fuentes, the author of the TrendLabs report. “These wares include fraudulent documents like tax returns or fake IDs, fake driver’s licenses or birth certificates, but also stolen prescriptions with which the buyer can buy drugs. This gives them access to controlled substances such as Ambien, a popular sleep disorder medication known to be abused by many users.”

Fuentes and her FTR team combed through the Deep Web to understand pricing models used by the criminals to sell EHR data. Complete databases may be the most highly coveted items for sale, but other wares based on raw and processed stolen health data were well within the price ranges of even petty crooks.

Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.

Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets. According to a a separate report out today featuring a survey conducted by 451 Research on behalf of Thales, 69% of US healthcare organizations report their biggest spend is on perimeter defenses.

Meanwhile, they’re leaving holes in the network big enough to drive monster trucks through them, by way of Internet of Things (IoT) medical devices and other poorly secured systems. The TrendLabs report detailed research conducted through Shodan that showed how many of these systems were left accessible to the public internet with minimal to no access controls. Not only did these systems exposing the network to further lateral attacks, but in many instances they provided direct access to the EHR systems themselves, as was the case from exposed interfaces to Polycom conference systems that researchers found in one case.

February 09, 2017 – Flint, Michigan-based Singn and Arora Oncology Hematology is notifying 22,000 patients that some of their information may have been accessed in a cybersecurity breach, according to an ABC12 report.

An unauthorized user reportedly accessed one of the organization’s servers between February 2016 and July 2016. However, the practice did not become aware of the incident until August 2016.

Patient names, Social Security numbers, and insurance information were contained in the files. While there is no indication that the data was used for malicious purposes, Singn and Arora explained in its letter that it cannot say with complete certainty that the information was not compromised.

Potentially affected patients are being offered one year of complimentary free credit monitoring services.

10K impacted by unauthorized website access in Calif.

Verity Health System in California recently reported that an unauthorized third party may have accessed the personal information of “more than 9,000 individuals.”

Verity Health detected the access on January 6, 2017, and that it occurred on the Verity Medical Foundation-San Jose Medical Group website. The website is no longer in use but “immediate steps” were taken to secure it. The access reportedly took place between October 2015 and January 2017.

Potentially affected information included patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers. However, full credit card numbers and Social Security numbers were not included. The data was also from 2010 to 2014.

While Verity reported 9,000 affected individuals in its statement, the OCR data breach reporting tool states that 10,164 were likely impacted.

“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” Verity Health CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems going forward. We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Verity established a call center to answer questions and will also be offering potentially affected patients one free year of credit monitoring services.